blog.greggman.com

How to detect E-Mail Scams (Phishing)

2006-01-08

What do the following 5 e−mails have in common. (click any of them for
bigger versions)

They are all fake, bogus, not really from Paypal, Amazon or Wells Fargo. They
are e−mail scams. Sending of this kind of e−mail is called
"phishing" as in fishing for suckers.

I get a at least a couple of these every week and because I'm a computer
geek I know how to tell that they are fake but I suspect most people don't
including many of my friends and family. It really sucks that the net makes it
so easy for bad people to screw over good people but that's they way it is
for now.

Microsoft, Google, Yahoo and many others are working on solutions but in the
meantime, hopefully the instructions below will help you avoid getting taken in
by these phishing scams.

The first thing to look at is the To address. In my case, my Paypal account is
not registered to gregg@yahoo.com or gregg@activestate.com so clearly this is
fraudulent mail. For those of you that use only one e−mail address
you're unlikely to get that lucky. Most likely your real e−mail
address will appear there but if it's not the correct e−mail address
you already know it's fake. Delete it.

Now it gets more difficult. What you have to do is check if the link in the
e−mail actually goes to the site it claims it's from. The link might
appear to go to Paypal but what it shows and where it actually goes are
separate things.

The first thing you can check, especially if you are using web based
e−mail, "hover" the mouse cursor over the link. Your browser
&ast;might&ast; show where the link goes in the status bar of the browser

Here we can see that link is not going to Paypal. It's going to some site
called 200.181.57.130. Clearly this link is fake.

Unfortunately, even if it said Paypal.com in the status bar that doesn't
mean the link would actually go to Paypal. There are ways of hiding that. In
other words, this step might tell you immediately if the link is fake but if
looks like a valid URL you still have to dig deeper.

In most e−mail programs and e−mail websites you can right
click on the e−mail and pick "View Source"

This will bring up some kind of program that shows you the codes used to
display the e−mail you are looking at. It will most likely look like lots
of gibberish. You need to search for what you see as the link. In the case of
example #1 above I searched for "Click here"

If it doesn't find it you can pretty much be sure the mail is fake. In my
case it found it.

Now, we have to look for the part just before that that says href=

and to the right of that we see the actual link

Again, it's not Paypal so this is fake. In the case of examples #2
and #3 above they show links so I searched for part of the link
("https://www.paypal&quot;)

I found it here and what do you know, the actual link goes to some site called
only666times.de. Yes, some asshole is trying to rob me again. 😞

Note that you still have to be careful because the link might only be subtly
fake. I've seen links like http://paypal.com.someothersite.tw or other
convoluted things that try to make the link appear real.

Unfortunately it gets worse. It's possible for that even if the links look
100% correct the e−mail is designed to take you somewhere else.
Technically e−mail links can be programmed to so that when you click the
link a small piece of code runs. That code, instead of going to the link you
see specified can take you to some other link instead and unfortunately there
is no easy way to look that kind of hack up. Most e−mail programs attempt
to remove those hacks. For example a full up to date and patched Outlook will
tell you the e−mail has scripts in it. Scripts = code. If it says this
you know the e−mail is fake. No legitimate e−mail has scripts in it.

For gmail and Yahoo mail they both attempt to delete the scripts from the
e−mail but there is probably a way around most of them.

The best advice is, first, if it's not important, ignore the e−mail.
Otherwise, if you are concerned and if you've followed all the steps above
and the mail looks like it might actually be legit, don't click the link.
Instead, manually launch a browser window, go directly to the site yourself,
log into your account for the site in question and ask their customer service
directly if there is something they need to talk to you about.